Hey world - hopefully this helps other hosts out there, we just learned of a spam hack that took place - although the holes aren't completely patched I have a good temporary workaround until we can do more research.  This hack is brand new, involves Joomla sites, and a file called writedoor2.php.

Here are some files you'll see in every Joomla installation if you are vulnerable:

/home/USERNAME/public_html/modules/footer_t.php
/home/USERNAME/public_html/modules/defaults.php
/home/USERNAME/public_html/modules/mod_mainmenu/extra/
     extra/feed3.php  extra/index.php  extra/mi.php  extra/writedoor2.php

The easy to find file is writedoor2.php, mi.php, or footer_t.php.

These files combine to insert code at the top of your site with links to hidden menu items on YOUR site that are full of spam link html files.  The link will probably be at the top of the page, visible with a view-source.

As a workaround, if you don't want to restore hundreds of sites to backups on a whim - I came up with a very basic workaround.

Be sure you understand ROOT access and the console.  Do NOT break your server and complain on forums.  If you want my help you can call our office and ask for Troy.

Step 1.

# locate footer_t.php

You will get an output showing all the paths this file is in.  Copy this entire output to notepad.

Step 2.

# mkdir /root/hackfix
# touch /root/hackfix/defaults.php
# touch /root/hackfix/footer_t.php

These files will have only read permissions by default hopefully, so the hackers can't write over them - they are blank so including them in your sites will have no effect.

Step 3.

In notepad, do a replace, take the string /home/ and replace ALL with:

/bin/cp /root/hackfix/* /home

and replace /footer_t.php with /

Step 4.

Paste the first line into your console and make sure that site is 'patched' - if it worked, paste in the whole file.

This is a workaround.

Hopefully someone with scripting skills can comment on a version of this process that is like one linux command.